由于安全审计需要,要求激活AIX6.1的超过8位的口令长度
原理参见<<sg247559_IBM AIX Version 6.1 Differences Guide>>
原先口令算法:
/etc/security/login.cfg里可以看到:
pwd_algorithm Defines the loadable password algorithm to use when storing
* user passwords. A valid value for this attribute is a name
* of stanza that is defined in /etc/security/pwdalg.cfg.
* The default value is "crypt" that is the legacy crypt()
* algorithm.
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/
tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
即缺省为crypt,有效位长为8位:
同样,AIX6.1也支持
激活命令:
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256
修改结果:
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
pwd_algorithm = ssha256
[sca002][root][/]#lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
usw pwd_algorithm=ssha256
恢复到缺省状态:
[sca002][root][/]#chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=""
[sca002][root][/]#lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
usw pwd_algorithm=
验证是否有效:
[sca002][root][/]#passwd was
Changing password for "was"
was's New password: 123456789
Enter the new password again:123456789
[sca002][root][/]#telnet localhost
Trying...
Connected to loopback.lab.bsc.
Escape character is '^]'.
telnet (sca002)
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: was
was's Password: 123456789
*******************************************************************************
* *
* *
* Welcome to AIX Version 6.1! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Last unsuccessful login: Thu Nov 24 13:24:28 GMT+08:00 2011 on ftp from scma007.lab.bsc
Last login: Sun May 13 07:24:32 GMT+08:00 2012 on /dev/pts/2 from loopback
[sca002][was][/home/was]#
口令生效,进一步验证:
[sca002][root][/]#telnet localhost
Trying...
Connected to loopback.lab.bsc.
Escape character is '^]'.
telnet (sca002)
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: was
was's Password: 123456780
3004-007 You entered an invalid login name or password.
login: was
was's Password: 123456781
3004-007 You entered an invalid login name or password.
login: was
was's Password: 123456789
*******************************************************************************
* *
* *
* Welcome to AIX Version 6.1! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
2 unsuccessful login attempts since last login.
Last unsuccessful login: Sun May 13 07:25:42 GMT+08:00 2012 on /dev/pts/2 from loopback
Last login: Sun May 13 07:24:53 GMT+08:00 2012 on /dev/pts/2 from loopback
[sca002][was][/home/was]#
验证生效。
现在回原
[sca002][root][/]#cat /etc/security/login.cfgn.cfg -s usw -a pwd_algorithm=""
*******************************************************************************
*
* Valid port attributes:
*
* herald Specifies the initial message to be printed out when getty or
* login prompts for a login name. This value is a string that is
* written out to the login port. If the herald is not specified
* for a port or in the default stanza, then the default herald is
* gotten from the message catalog associated with the language
* set in /etc/environment.
*
* logindelay The delay (in seconds) between unsuccessful login attempts.
* This delay is multiplied by the number of unsuccessful logins -
* i.e. if the value is 2, then the delay between unsuccessful
* logins will be 2 seconds, then 4 seconds, then 6 seconds, etc.
* Set this attribute to 0 to disable this feature.
*
* logindisable The number of unsuccessful login attempts before this port is
* locked. Used in conjunction with logininterval. Set this
* attribute to 0 to disable this feature.
*
* logininterval The number of seconds during which logindisable unsuccessful
* login attempts must occur for a port to be locked.
*
* loginreenable The number of minutes after a port is locked that it will be
* automatically unlocked. Setting this attribute to 0 will cause
* the port to remain locked until the administrator unlocks it.
*
* logintimes Defines the times a user can use this port to login. The value
* is a comma separated list of items as follows:
* [!][MMdd[-MMdd]]:hhmm-hhmm
* or
* [!]MMdd[-MMdd][:hhmm-hhmm]
* or
* [!][w[-w]]:hhmm-hhmm
* or
* [!]w[-w][:hhmm-hhmm]
* where MM is a month number (00=January, 11=December), dd is
* the day of the month, hh is the hour of the day (00 - 23), mm
* is the minute of the hour, and w is a weekday (0=Sunday, 6=
* Saturday).
*
* pwdprompt Defines the password prompt message printed when requesting
* password input. The value is a character string. Format
* specifiers will not be interpreted. If the pwdprompt is
* not specified for a port or in the default stanza, then the
* default prompt will be pulled from the message catalog
* associated with the language set in /etc/environment.
*
* sak_enabled Defines whether users are allowed to access the trusted path
* through this port through the use of the secure attention key
* sequence (ctrl-x ctrl-r). Possible values: true or false
*
* synonym Defines the set of ports which are synonyms for the given port;
* the ownership and permissions of these ports are set along with
* the given port's ownership and permissions (and sak_enabled is
* interpreted to be the same for the given port and all of its
* synonyms). This is mainly used for specifying that
* /dev/console and /dev/tty0 (for example) are synonyms since
* /dev/tty0 is the system console in this example. The value is
* a comma separated list of pathnames to device special files.
*
* usernameecho Defines whether the user name should be echoed on a port.
* Possible values: true or false
*
* true User name echo is enabled. This is the default.
* false User name echo is disabled. The user name will
* not be echoed at the login prompt and will be
* masked out of security related messages.
*
* The default stanza contains the default values used if no stanza appears for
* a given port.
*
*******************************************************************************
default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
*/dev/console:
* synonym = /dev/tty0
*******************************************************************************
* auth_method is no longer used.
* Security methods should be configured in /usr/lib/security/methods.cfg
*******************************************************************************
*******************************************************************************
*
* Other security attributes (usw stanza):
*
* shells The list of valid login shells for a user; chuser and chsh will
* only change a user's login shell to one of the shells listed
* here.
*
* maxlogins The maximum number of simultaneous logins allowed on the
* system.
*
* logintimeout The number of seconds the user is given to enter their
* password.
*
* auth_type Determines whether PAM or the standard UNIX authentication
* mechanism will be used by PAM-aware applications.
* Valid values: STD_AUTH, PAM_AUTH
*
* maxroles The maximum number of roles allowed per session.
* For Enhanced RBAC Mode only.
* Possible values: an integer value between 1 and 8.
* Default value is 8.
*
* pwd_algorithm Defines the loadable password algorithm to use when storing
* user passwords. A valid value for this attribute is a name
* of stanza that is defined in /etc/security/pwdalg.cfg.
* The default value is "crypt" that is the legacy crypt()
* algorithm.
*
* mkhomeatlogin Specifies whether to create the home directory at user
* login if the home directory does not exist already.
* Valid values: true or false. Default is false.
*******************************************************************************
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
[sca002][root][/]#telnet localhost
Trying...
Connected to loopback.lab.bsc.
Escape character is '^]'.
telnet (sca002)
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: was
was's Password: 123456781
3004-007 You entered an invalid login name or password.
login: was
was's Password: 123456780
Connection closed.
[sca002][root][/]#passwd was
Changing password for "was"
was's New password: 123456789
Enter the new password again:123456789
[sca002][root][/]#passwd was
[sca002][root][/]#telnet localhost
Trying...
Connected to loopback.lab.bsc.
Escape character is '^]'.
telnet (sca002)
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: was
was's Password: 123456789
[compat]: 3004-610 You are required to change your password.
Please choose a new one.
was's New password: 123456789
Enter the new password again:
*******************************************************************************
* *
* *
* Welcome to AIX Version 6.1! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
4 unsuccessful login attempts since last login.
Last unsuccessful login: Sun May 13 07:59:22 GMT+08:00 2012 on /dev/pts/2 from loopback
Last login: Sun May 13 07:57:13 GMT+08:00 2012 on /dev/pts/2 from loopback
[sca002][was][/home/was]#exit
Connection closed.
[sca002][root][/]#telnet localhost
Trying...
Connected to loopback.lab.bsc.
Escape character is '^]'.
telnet (sca002)
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: was
was's Password: 123456781
*******************************************************************************
* *
* *
* Welcome to AIX Version 6.1! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Last unsuccessful login: Sun May 13 07:59:22 GMT+08:00 2012 on /dev/pts/2 from loopback
Last login: Sun May 13 08:00:26 GMT+08:00 2012 on /dev/pts/2 from loopback
[sca002][was][/home/was]#
附:
[sca002][root][/]#man chsec
chsec Command
Purpose
Changes the attributes in the security stanza files.
Syntax
chsec [ -fFile] [ -s Stanza] [ -a Attribute = Value ... ]
Description
The chsec command changes the attributes stored in the security configuration stanza files. These security configuration
stanza files have attributes that you can specify with the Attribute = Value parameter:
* /etc/security/environ
* /etc/security/group
* /etc/security/audit/hosts
* /etc/security/lastlog
* /etc/security/limits
* /etc/security/login.cfg
* /usr/lib/security/mkuser.default
* /etc/nscontrol.conf
* /etc/security/passwd
* /etc/security/portlog
* /etc/security/pwdalg.cfg
* /etc/security/roles
* /etc/security/smitacl.user
* /etc/security/smitacl.group
* /etc/security/user
* /etc/security/user.roles
When modifying attributes in the /etc/security/environ, /etc/security/lastlog, /etc/security/limits, /etc/security/passwd,
and /etc/security/user files, the stanza name specified by the Stanza parameter must either be a valid user name or
default. When modifying attributes in the /etc/security/group file, the stanza name specified by the Stanza parameter must
either be a valid group name or default. When modifying attributes in the /usr/lib/security/mkuser.default file, the Stanza
parameter must be either admin or user. When modifying attributes in the /etc/security/portlog file, the Stanza parameter
must be a valid port name. When modifying attributes in the /etc/security/login.cfg file, the Stanza parameter must either
be a valid port name, a method name, or the usw attribute.
When modifying attributes in the /etc/security/login.cfg or /etc/security/portlog file in a stanza that does not already
exist, the stanza is automatically created by the chsec command.
You cannot modify the password attribute of the /etc/security/passwd file using the chsec command. Instead, use the passwd
command.
Only the root user or a user with an appropriate authorization can change administrative attributes. For example, to modify
administrative group data, the user must be root or have GroupAdmin authorization.
Flags
-a Attribute = Value
Specifies the attribute to modify and the new value for that attribute. If you do not specify the value, the attribute
is removed from the given stanza.
-f File
Specifies the name of the stanza file to modify.
-s Stanza
Specifies the name of the stanza to modify.
Security
Access Control
This command grants execute access only to the root user and the security group. The command has the trusted computing base
attribute and runs the setuid command to allow the root user to access the security databases.
On a Trusted AIX(R) system, only users with the aix.mls.clear.write authorization can modify clearance attributes. Only
users with the aix.mls.tty.write authorization can modify the port attributes.
Auditing Events
Event
Information
USER_Change
user name, attribute
GROUP_Change
group name, attribute
PORT_Change
port, attribute
Files Accessed
Mode
File
rw
/etc/security/environ
rw
/etc/security/group
rw
/etc/security/audit/hosts
rw
/etc/security/lastlog
rw
/etc/security/limits
rw
/etc/security/login.cfg
rw
/usr/lib/security/mkuser.default
rw
/etc/nscontrol.conf
rw
/etc/security/passwd
rw
/etc/security/portlog
rw
/etc/security/pwdalg.cfg
rw
/etc/security/roles
rw
/etc/security/smitacl.user
rw
/etc/security/smitacl.group
rw
/etc/security/user
rw
/etc/security/user.roles
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run
privileged operations. For more information about authorizations and privileges, see Privileged Command Database in
Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the
getcmdattr subcommand. To get the full functionality of the command, besides the accessauths, the role should also have the
following authorizations:
* aix.security.user.audit
* aix.security.role.assign
* aix.security
Examples
1 To change the /dev/tty0 port to automatically lock if 5 unsuccessful login attempts occur within 60 seconds, enter:
chsec -f /etc/security/login.cfg -s /dev/tty0 -a logindisable=5 -a logininterval=60
2 To unlock the /dev/tty0 port after it has been locked by the system, enter:
chsec -f /etc/security/portlog -s /dev/tty0 -a locktime=0
3 To allow logins from 8:00 a.m. until 5:00 p.m. for all users, enter:
chsec -f /etc/security/user -s default -a logintimes=:0800-1700
4 To change the CPU time limit of user joe to 1 hour (3600 seconds), enter:
chsec -f /etc/security/limits -s joe -a cpu=3600
Files
/usr/bin/chsec
Specifies the path to the chsec command.
/etc/security/environ
Contains the environment attributes of users.
/etc/security/group
Contains extended attributes of groups.
/etc/security/audit/hosts
Contains host and processor IDs.
/etc/security/lastlog
Defines the last login attributes for users.
/etc/security/limits
Defines resource quotas and limits for each user.
/etc/security/login.cfg
Contains port configuration information.
/usr/lib/security/mkuser.default
Contains the default values for new users.
/etc/nscontrol.conf
Contains the configuration information of some name services.
/etc/security/passwd
Contains password information.
/etc/security/portlog
Contains unsuccessful login attempt information for each port.
/etc/security/pwdalg.cfg
Contains the configuration information for loadable password algorithms (LPA).
/etc/security/roles
Contains a list of valid roles.
/etc/security/smitacl.user
Contains user ACL definitions.
/etc/security/smitacl.group
Contains group ACL definitions.
/etc/security/user
Contains the extended attributes of users.
/etc/security/user.roles
Contains a list of roles for each user.
/etc/security/enc/LabelEncodings
Contains label definitions for the Trusted AIX(R) system.
/etc/security/domains
Contains the valid domain definitions for the system.
Related Information
The chgroup command, chuser command, grpck command, login command, lsgroup command, lssec command, lsuser command, mkgroup
command, mkuser command, passwd command, pwdck command, rmgroup command, rmuser command, su command, usrck command.
The getgroupattr subroutine, getportattr subroutine, getuserattr subroutine, getuserpw subroutine, putgroupattr subroutine,
putportattr subroutine, putuserattr subroutine, putuserpw subroutine.
Trusted AIX(R) in the Security.
如果觉得我的文章对您有用,请点赞。您的支持将鼓励我继续创作!
赞5
添加新评论0 条评论